Improper Verification of Cryptographic Signature in jsrsasign by Kjur
CVE-2026-4600

9.1CRITICAL

Key Information:

Vendor: Kjur
Status: Jsrsasign
Vendor: CVE Published:; 23 March 2026

What is CVE-2026-4600?

The jsrsasign library, specifically versions prior to 11.1.1, has a critical vulnerability that arises from improper verification of cryptographic signatures. The flaw exists due to inadequate validation of DSA domain parameters in the KJUR.crypto.DSA.setPublic function. This weakness allows an attacker to forge DSA signatures or X.509 certificates that can bypass verification checks. By manipulating parameters such as g=1, y=1, and a fixed r=1, an attacker can satisfy the verification equation for any hash, leading to potential security breaches.

Affected Version(s)

jsrsasign 0 < 11.1.1

References

https://security.snyk.io/vuln/SNYK-JS-JSRSASIGN-15370940

https://gist.github.com/Kr0emer/bf15ddc097176e951659a24a8...

https://github.com/kjur/jsrsasign/pull/646

CVSS V4

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 23, 2026
Vulnerability Reserved
Mar 22, 2026

Credit

Kr0emer

CVE-2026-4600 Data

JSON